Hello folks,
(apologize for the wide distribution, hopefully someone would be able
to help me with the issue below).
we develop a tool performing security scans / audits of the system. This tool
is able to compare the system in question against various rules. And one of
these
rules ('Verify and Correct File Permissions with RPM') fails on common (RHEL-6)
system.
When inspecting the failure more deeply noticed all these files are marked as
%ghost files in particular *.spec file. The test is failing due to changed group
ownership & mode on these files.
Having look at:
[1] http://fedoraproject.org/wiki/PackagingDrafts/Logfiles
suggests it should be possible to define particular *.spec %ghost section that
way,
so rpm -V would be silent (at least wrt to 'md5', 'size' & 'mtime' attributes).
Since the files marked as %ghost are kinda special:
[2]
http://www.rpm.org/max-rpm-snapshot/s1-rpm-inside-files-list-directives.html
wondering if it's even possible to classify the %ghost file in particular *.spec
file that way, so rpm -V wrt to group ownership & mode changes would be silent.
If I got the %ghost directive meaning [2] correctly:
* RPM knows about the ghosted file (it's saved into RPM db),
* but it will not add it to the package (but in the moment of build
that file needs to be present in the buildroot),
* that file will be marked as owned by the package, and will be
removed when the package is removed,
* that file won't be visible from package file's listing (rpm -ql),
* [2] also mentions it's possible to use 'rpm --setperms' on the ghosted
file to fix it permissions.
The question:
Suppose 'rpm -V' reports group ownership change & mode change failure. The
question is how to write the corresponding *.spec %ghost section this not
to be reported?
Use something like:?
%ghost %verify(not group mode md5 size mtime} file_path
Wouldn't this tell RPM that if there's change in some of group / mode / md5 /
size / mtime
attribute of that file, that this change should be ignored?
Or instead of blessing the attribute like above, it's better to get the:
* expected group owner & mode for that %ghost file from RPM db,
* and in the moment of creating that file call 'chgrp / chmod' with
the expected values?
For case someone would be interested in data wrt to these failing files, those
are mainly db / SQLite / log or pid files. Some examples:
* /var/log/gdm
* /var/run/gdm
* /var/run/abrt.pid
* /var/lib/rpm/__db.*
* /var/lib/mlocate/mlocate.db
* /var/lib/PackageKit/transactions.db
* .. etc etc
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
